Disaster Recovery Plan / Enterprise Continuity Plan
âĸDownload as PPTX, PDFâĸ
13 likesâĸ18,591 views
Disaster Recovery Plan / Enterprise Continuity Plan
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (19)
Similar to Disaster Recovery Plan / Enterprise Continuity Plan
Similar to Disaster Recovery Plan / Enterprise Continuity Plan (20)
Recently uploaded
Recently uploaded (20)
Disaster Recovery Plan / Enterprise Continuity Plan
- 1. DRP/ECP Disaster Recovery Plan / Enterprise Continuity Plan Marcelo Silva
- 2. Agenda īŽ īŽ īŽ īŽ īŽ īŽ īŽ Introduction Roles of DRP/ECP The 6 Resilience Layers Training for the DRP team Choosing outside expertise to assist with development of a DRP Developing a DRP/ECP awareness campaign Implementing a DRP/ECP awareness campaign
- 3. Introduction īŽ īŽ īŽ īŽ Why DRP/ECP? Benefits of a DRP/ECP Three vital Ingredients of a successful DRP/ECP Defensive Posture / Offensive Posture
- 4. Roles of DRP/ECP īŽ īŽ īŽ īŽ īŽ īŽ īŽ Emergency Management team (EMT) Damage Assessment Team Restoration Team Operations Team Customer Support Team Salvage/Reclamation Team Administrative Support Team
- 5. The 6 Resilience Layers 1. 2. 3. 4. 5. 6. Strategy Organization Business and IT Processes Data and Applications Technology Facilities and security
- 6. The 6 Resilience Layers 1.Strategy Strategy is the first layer to be discussed On this layer, the below components will be assessed and examined: īŽ Vulnerabilities īŽ Risks īŽ Competitive edge īŽ baseline organizational culture
- 7. The 6 Resilience Layers 2.Organization īŽ īŽ īŽ īŽ īŽ Executive sponsor Roles, Responsibilities and Accountabilities Well defined communication protocol Cross-line-of-business linkage Skills that are critical to the company
- 8. The 6 Resilience Layers 3.Business and IT Process A successful plan requires identify: īŽ īŽ īŽ īŽ īŽ The minimum required functionalities during disruptive events Alternate process/procedure that will allow operations to continue Processes to achieve better workload balance All processes and the contingency plan must be clear to all organizationâs stakeholders Business processes that support Virtual, flexible and distributed workplaces
- 9. The 6 Resilience Layers 4.Data and Applications īŽ īŽ īŽ īŽ Good, valuable and reliable information Data and Application diversification Architectures standardization Ensure performance, availability and scalability
- 10. The 6 Resilience Layers 5.Technology Technology components when planning resiliency: īŽ Hardware architecture īŽ System software īŽ Middleware īŽ Networks īŽ Security Solutions Levels of availability that should be aligned to the resiliency objectives: ī§ Reliability ī§ Redundancy ī§ Failover
- 11. The 6 Resilience Layers 6.Facilities and Security Level of the enterpriseâs facilities: īŽ Environment considerations īŽ Geographical location īŽ Dispersion īŽ Security Access (Physical and logical security) īŽ Power protection īŽ Heating and cooling
- 12. The 6 Resilience Layers Examples 1. 2. 3. 4. 5. 6. Strategy īŽ The university position in comparison to others Organization īŽ Executive support Business and IT Processes īŽ IT Processes changing Data and Applications īŽ SharePoint Server for all data â Diversification is required Technology īŽ No additional Exchange or SharePoint server Facilities and security īŽ Eminent power outage in case of disaster
- 13. Training for the DRP team īŽ īŽ īŽ īŽ īŽ īŽ īŽ Risk evaluation and control Business impact analysis Emergency response and operations Incident management Developing and implementing DRP/ECPs Maintaining and exercising BCPs Public relations, media and crisis communication
- 14. Choosing outside expertise to assist with development of a DRP Consultant that: īŽ Acts as a facilitator whenever it is appropriate īŽ Produces solid lasting solutions īŽ Understands and acts to further the clientâs mission īŽ Only makes promises when they can be kept īŽ Minimizes dependency of the client on the consultant īŽ Encourages the clientâs competence, confidence and commitment īŽ Works with the client on the problem solution īŽ Focuses on the relationship with the client and technical problems īŽ Doesnât take on any of the clientâs responsibilities.
- 15. Developing a DRP/ECP awareness campaign īŽ īŽ īŽ īŽ Establish goals and Components Define the training/awareness method Identify the target / audience Implementing the awareness program
- 16. Implementing a DRP/ECP awareness campaign īŽ īŽ īŽ īŽ īŽ Include DRP/ECP in the New Hire Orientation Formal training Awareness seminars and Brown bag sessions Newsletter and Intranet DRP/ECP quizzes
- 17. References īŽ īŽ īŽ īŽ īŽ īŽ Hiles, A. (2007). The Definitive Handbook of Business Continuity Management, Second Edition. John Wiley & Sons. Hiles, A. (2011). The Definitive Handbook of Business Continuity Management, Third Edition. John Wiley & Sons. Goble, G., Fields, H., & Cocchiara, R. (2002). Resilient Infrastructure: improving your business resilience. IBM Global Services. Maiwald, E., & Sieglein, W. (2002). Security Planning & Disaster Recovery. Berkeley, CA: McGraw-Hill/Osborne. BS 25999-1 (2006). Business Continuity Management - Code of Practice. BSI. BS 25999-2 (2007). Business Continuity Management - Specification. BSI.
Editor's Notes
- Western Governors UniversityMaster of Science, Information Security and AssuranceFXT2 â Disaster Recovery Planning, Prevention and ResponseMarcelo Braga SilvaStudent ID: 000200452
- This Agenda will cover the requirements for the Task 1 of the FXT2 course, part of the Master of Science, Information Security and Assurance program at WGU.January, 2014.
- According to Goble, Fields, & Cocchiara (2002), resilient infrastructures are those ones that are âcapable of proactively responding to both anticipated and unexpected stress and strainsâ (p. 2).Thus, following below an introduction on the Disaster recovery Plan and Enterprise Continuity Plan:Why DRP/ECP?In case some infrastructure failure, if the university is not well prepared to respond to such unexpected event, it can lose some business opportunities, students and partners, reputation and credibility, research data, and even its most valuable information and applications.Benefits of a DRP/ECPIdentification of critical applications and services for the businessIdentification and preparedness for the major risksReduce the downtimes of applications and services Improve operational effectiveness and resilienceProtection of assetsBe compliance with national and international laws and standardsImprove securityDemonstrate continuity capabilities for the market, including customers, partners and shareholdersThree vital Ingredients of a successful DRP/ECP (Goble, G., Fields, H., & Cocchiara, R. 2002, p. 9)Recovery ī Safe, rapid, offsite data recoveryHardening ī The fortification of all or part of the infrastructureRedundancy ī The duplication of all or part of the infrastructure Defensive Posture / Offensive PostureDefensive Posture components:Recovery Hardening Redundancy Offensive Posture components:AccessibilityDiversificationAutonomic computing
- The DRP/ECP team are composed by different teams. One of the key teams is the Emergency Management Team (EMT)According to Hiles (2007), the EMTâs role is âto take business decisions, assess and make judgments on business priorities and to facilitate and support the business continuity manager. It also has an important role in marketing, public relations and media management issues.âFollowing below some roles of the DRP/ECP team members:Emergency Management Team Composed by key senior managers, Public relations and marketing and Business continuity manager or coordinator.Damage Assessment TeamThe Damage Assessment Team assesses the damage to the Data Center and reports to the EMT.Restoration TeamThis team brings the Production site systems and applications to operational mode in a DR site. And also brings they back to the production site.Operations TeamThe Operations Team assists in the recovery operations of infrastructure, systems and services.Customer Support TeamThis is the team that assists the customers (external/internal) during the disaster, until operations are resumed.Salvage/Reclamation TeamThe Salvage/Reclamation Team manages the restoration or rebuilding of the Data Center.Administrative Support TeamThe Administrative Support Team cooperate with logistical and organizational support for all other teams.
- This six layers represent the âFramework for resiliencyâ (Goble, Fields, & Cocchiara, 2002).This framework enables management and technical teams to lead the Enterprise to a successful Disaster Recovery Plan.
- When we talk about preparedness for anticipated and unexpected events, the Strategy layer is the first one to be discussed. On this layer, some assessments will examine components such as vulnerabilities and risks regarding to the enterprise, taking in account its industry position and its competitively. Also, the enterpriseâs strategies and the baseline organizational culture will be examined. (Goble, Fields, & Cocchiara, 2002)
- Organizational changes are required to build a successful resiliency plan.It requires an Executive sponsor, usually a senior business leader or a Vice President.Roles, Responsibilities and AccountabilitiesWell defined communication protocolCross-line-of-business linkageSkills that are critical to the company
- The resiliency plan should focus on the business and IT process and procedures that are critical for the organizationâs operation and its infrastructure. A successful plan requires identify:What are the minimum required functionalities during disruptive eventsAlternate process and procedure that will allow operations to continueProcesses to achieve better workload balanceAll processes and the contingency plan must be clear to all organizationâs stakeholdersBusiness processes that support Virtual, flexible and distributed workplaces. (Goble, Fields, & Cocchiara, 2002).
- 21st Century organizations rely on good, valuable and reliable information, whether they are about customers, employees, competitors, products or suppliers, and the systems responsible for processing and analysing those information as well. Thus, multiples data and application sources are required. Data and Application diversificationArchitectures standardizationEnsure performance, availability and scalability
- Technology is a key component to create a resilient business. The IT infrastructure and the budget assigned to it must be aligned to the organizationâs resiliency goals.Technology components when planning resiliency:Hardware architectureSystem softwareMiddlewareNetworksSecurity Solutions Levels of availability that should be aligned to the resiliency objectives:ReliabilityRedundancyFailoverSingle point of failure: Should be known and addressedHigh-Availability (HA) components in the infrastructure should be examined.Continuous replication across different sites (Primary/Secondary)
- When examining the resiliency level of the enterpriseâs facilities:Environment considerationsGeographical locationDispersionSecurity Access (Physical and logical security)Power protection (UPS, batteries, Generators, etc.)Heating and cooling (Pods, Racks, small rooms, UPS rooms)Provide and testing the security mechanisms and equipment.
- Strategy: Risks, Vulnerabilities and competitively will be assessed, taking in account the position the university has in comparison to the other universities, regional and national.Organization: The university needs a executive support for the plan, and for all organizational changes that the university will need for a successful DRP.Business and IT Processes: The university will have to change some IT process in order to enable employees and students to leverage the universityâs infrastructure beyond of the three-floor facilities that it has currently.Data and Applications: Currently the university uses the Microsoft SharePoint for all data. However, for a good resilient plan, some diversification of data and application should be implemented, and high availability by implementing redundant servers across different sites also recommended.Technology: The university has only one server for each application: One Exchange Server and one SharePoint Server. Currently there is no redundancy neither additional servers for failover in case of disaster, or even to recover from a simple hardware failure. Thus, there is a single point of failure and itâs something that will be addressed in the technology layer of the Framework for Resiliency.Facilities: There are physical risks to the operations. Blizzards could potentially knock out power and earthquakes could damage the building.
- BS 25999-1 (2006) requires that âthe organization should have a process for identifying and delivering the BCM awareness requirements of the organization and evaluating the effectiveness of its delivery.âRisk evaluation and controlBusiness impact analysisEmergency response and operationsIncident managementDeveloping and implementing DRP/ECPsMaintaining and exercising BCPsPublic relations, media and crisis communication
- The university should look for the following characteristics on outside expertise to assist with the development of a DRP:Acts as a facilitator whenever it is appropriateAvoids âquick fixesâ and produces solid lasting solutionsUnderstands and acts to further the clientâs missionDoes not confuse the client by talking in a different languageOnly makes promises when they can be keptKeeps a good relationship with others in the companyMinimizes dependency of the client on the consultantEncourages the clientâs competence, confidence and commitmentWorks with the client on the problem solutionFocuses on the relationship with the client and technical problemsDoesnât take on any of the clientâs responsibilities.Hiles, A. (2007).
- BSI 25999-1 Business Continuity Management Code of Practice requires that âthe organization should have a process for identifying and delivering the BCM awareness requirements of the organization and evaluating the effectiveness of its delivery.â (Hiles, 2011)Establish goals and ComponentsTraining the team leaders (âTrain the trainersâ) and other team membersCover the skills gaps in the Enterprise Continuity team, indicated in BS 25999/DRII Common Body of KnowledgeTrain the EC team through exercising the plan (Hiles, 2011).Disseminate all information related to the Disaster Recovery Plan and Enterprise Continuity Plan and Policy, including priorities and objectives, deliverables, level of acceptance of disruption and recovery time.Define the training/awareness methodInduction training for new hiresArticles, news and letters in corporate newslettersUse of internal web pages, blogs and Intranet.Conducting tests and exercises, with observersIdentify the target / audienceAll stakeholders: members of the Business Continuity team and other enterprise staff (Employees, contractors and consultants).Implementing the awareness program (next slide)
- Maiwald & Sieglein (2002) stated that we âshould take advantage of every possible method to keep users interested and engagedâ. Therefore, following below some training methods to be implemented as part of the DRP/ECP awareness campaign:Include DRP/ECP in the New Hire OrientationThe organizationâs information security policies and procedures should be covered during the Orientation (Maiwald & Sieglein, 2002)The new hires should be compliant with all security policies and proceduresThe new hires should read and sign the Acceptable Use Policy and any other document related to the Information SecurityFormal trainingVendorâs specific training for the infrastructure and security teams: Network devices (Switches, routers, load balancers, gateways); Security solutions (Firewalls, proxies, IDS, IPS, Antivirus, HSMs); Servers (hardware, Operating Systems, Virtualization) among others.Internal training in accordance with each stakeholders group.Awareness seminars and Brown bag sessionsProvide information about new technologies within the company and the security related to themProvide the latest and useful information regards the DRP/ECPTell them how they can help in case of some unexpected event comes upExplain how the company is counting on them to have a successful DRP/ECP implementedNewsletter and IntranetImplement a quarterly Awareness Newsletter for end-usersCreate an area in the company Intranet dedicated to the DRP/ECP awarenessAdd some security-related information, including external links to vendorâs website and articlesDRP/ECP quizzesPeriodically enable some quizzes in the Intranet and also during some seminars and trainings, and promote some raffles as an way to encourage them.